Difference between revisions of "PSWEpisode645"

From Security Weekly Wiki
Jump to navigationJump to search
(Added By Paul's Craptastic PPWorks Code)
 
(Added By Paul's Craptastic PPWorks Code)
 
(13 intermediate revisions by the same user not shown)
Line 21: Line 21:
 
<ul style="margin-left: 50px;">
 
<ul style="margin-left: 50px;">
 
 
<li>In our next webcast with Synopsys we will cover "Better, Faster, More Secure Code By Combining SAST and SCA" with Utsav Sanghani, their Senior Product Manager. Register for our upcoming webcasts and virtual trainings by visiting securityweekly.com/webcasts. You can also access our on-demand library of previously recorded webcasts by visiting securityweekly.com/ondemand. Each webcast will earn you 1 CPE credit that we will submit on your behalf if you provide your ISC2 number.</li>
+
<li>Is your Open Source code secure?  Learn how to verify your code during development, not after the build in our next webcast with Synopsys. Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. You can also access our on-demand library of previously recorded webcasts/trainings by visiting securityweekly.com/ondemand. Each webcast will earn you 1 CPE credit that we will submit on your behalf if you provide your ISC2 number.</li>
 
 
 
<li>We have officially migrated our mailing list to BACK to our original platform! We have our categories nailed down and you are now able to customize what you receive from us based on your preferences by visiting securityweekly.com/subscribe and clicking the button to join the list! Once you have joined, you will also be able to go back and update your "interests" so that we can grow with you as you progress through your journey in InfoSec!</li>
 
<li>We have officially migrated our mailing list to BACK to our original platform! We have our categories nailed down and you are now able to customize what you receive from us based on your preferences by visiting securityweekly.com/subscribe and clicking the button to join the list! Once you have joined, you will also be able to go back and update your "interests" so that we can grow with you as you progress through your journey in InfoSec!</li>
Line 27: Line 27:
 
<li>We are looking for high-quality guest suggestions for our Enterprise Security Weekly podcast to fill our upcoming recording schedule! We're committed to educating and providing entertainment for the InfoSec community and we would love to hear from you about who you would like us to interview on the show! Submit your suggestions for guests by visiting securityweekly.com/guests and submitting the form! We review suggestions monthly and will reach out to you once reviewed!</li>
 
<li>We are looking for high-quality guest suggestions for our Enterprise Security Weekly podcast to fill our upcoming recording schedule! We're committed to educating and providing entertainment for the InfoSec community and we would love to hear from you about who you would like us to interview on the show! Submit your suggestions for guests by visiting securityweekly.com/guests and submitting the form! We review suggestions monthly and will reach out to you once reviewed!</li>
 
 
<li>SecureWorld Boston has been rescheduled to July 15-16, 2020 at the Hynes Convention Center in Boston, Massachusetts! You can register for this event by visiting secureworldexpo.com and using the code "SECURITYWEEKLY" to save $100 on a full conference pass! We will keep you in the loop as soon as we know who from Security Weekly will be there!</li>
+
<li>Join Qualys for VMDR Live on April 21 at 2pm ET for a live demonstration of the game-changing Vulnerability Management, Detection & Response offering - a unified solution that integrates vulnerability management, threat prioritization and patching in a single app. Register at securityweekly.com/VMDR2020</li>
 
 
 
</ul>
 
</ul>
  
 
</p>
 
</p>
= Interview: Lorrie Cranor - Carnegie Mellon - 6:00-6:45PM =
+
= Interview: Collaboration Between NetOps and SecOps in Today's World - 6:00-6:45PM =
 
<!--   
 
<!--   
 
************************* DO NOT EDIT THIS SECTION. THIS IS AUTO-GENERATED BY PPWORKS. YOUR CHANGES WILL BE LOST! ***************************
 
************************* DO NOT EDIT THIS SECTION. THIS IS AUTO-GENERATED BY PPWORKS. YOUR CHANGES WILL BE LOST! ***************************
 
-->
 
-->
 
{|style="width: 100%;margin: auto; " cellpadding="10"
 
{|style="width: 100%;margin: auto; " cellpadding="10"
 +
 +
|<center>{{#ev:youtube|vMM7Q_Wfxds }}</center>
  
 
|-
 
|-
|<p>'''Description:'''<br><br> None</p>
+
|<p>'''Description:'''<br><br> Matt and the Security Weekly crew will discuss how the interaction between network engineers and security operations has changed over the years, as well as the value of the network when identifying security threats and performing remediation.
 +
 
 +
For more information on VIAVI Solutions, visit: https://securityweekly.com/viavi</p>
  
 
|}
 
|}
 
{|style="width: 100%;margin: auto; " cellpadding="5"
 
{|style="width: 100%;margin: auto; " cellpadding="5"
 +
 +
|'''Guest:'''
 +
|'''Bio:'''
 +
|-
 +
 +
|[[Image:MattAllen-0.jpg|200px|thumb|<center>'''Matt Allen''' is Senior Solutions Engineer at VIAVI Solutions]</center>]]
 +
 +
|Matt Allen is a Senior Solutions Engineer at VIAVI Solutions. Prior to his 8 years at VIAVI, Matt has garnered 20 years of experience in the network engineering and telecommunications space. He holds the following certifications: Amazon Cloud Practictioner, Microsoft Certified Solutions Expert, Cisco Certified Network Associate, Certified Novell Engineer, and most recently Certified Ethical Hacker.
 +
|-
  
 
|}
 
|}
Line 51: Line 64:
  
 
{|style="width: 100%;margin: auto; " cellpadding="1"
 
{|style="width: 100%;margin: auto; " cellpadding="1"
 +
 +
|[[Image:Jeff_Man_2-0.jpg|100px|thumb|<center>[https://twitter.com/@MrJeffMan Jeff Man]  - Sr. InfoSec Consultant at Online Business Systems</center>]]
 +
 +
|[[Image:larry_headshot-0.jpg|100px|thumb|<center>[https://twitter.com/@haxorthematrix Larry Pesce]  - Senior Managing Consultant and Director of Research at InGuardians</center>]]
 +
 +
|[[Image:Lee_Neely-0.jpg|100px|thumb|<center>[https://twitter.com/@lelandneely Lee Neely]  - Senior Cyber Analyst  at Lawrence Livermore National Laboratory</center>]]
 
 
 
|[[Image:Paul_Asadoorian-0.png|100px|thumb|<center>[https://twitter.com/@securityweekly Paul Asadoorian]  - Founder & CTO at Security Weekly</center>]]
 
|[[Image:Paul_Asadoorian-0.png|100px|thumb|<center>[https://twitter.com/@securityweekly Paul Asadoorian]  - Founder & CTO at Security Weekly</center>]]
 +
 +
|[[Image:Tyler_Robinson-0.png|100px|thumb|<center>[https://twitter.com/@tyler_robinson Tyler Robinson]  - Managing Director of Network Operations at Nisos, Inc</center>]]
 
 
 
|}
 
|}
  
= Interview: Matt Allen - VIAVI - 6:00-6:45PM =
+
= Interview: IoT Devices: Security and Privacy Labels Research - 6:00-6:45PM =
 
<!--   
 
<!--   
 
************************* DO NOT EDIT THIS SECTION. THIS IS AUTO-GENERATED BY PPWORKS. YOUR CHANGES WILL BE LOST! ***************************
 
************************* DO NOT EDIT THIS SECTION. THIS IS AUTO-GENERATED BY PPWORKS. YOUR CHANGES WILL BE LOST! ***************************
 
-->
 
-->
 
{|style="width: 100%;margin: auto; " cellpadding="10"
 
{|style="width: 100%;margin: auto; " cellpadding="10"
 +
 +
|<center>{{#ev:youtube|QeYgcn5w1h8 }}</center>
 +
 +
|-
 +
|<p>'''Description:'''<br><br> At Carnegie Mellon University we are designing a usable security and privacy label for smart devices to help consumers make informed choices about Internet of Things device purchases and encourage manufacturers to disclose their privacy and security practices. The label includes information on privacy and security practices of the smart device, such as the type of data the device collects and whether or not the device gets automatic security updates. Based on research with both consumers and experts, we have designed a two-layer label that includes a simple, understandable primary layer for consumers and a more detailed secondary layer that includes information important to experts.</p>
  
 
|-
 
|-
|<p>'''Description:'''<br><br> None</p>
+
|<p>'''Content:'''<br><br> The IoT security and privacy label and 2 research papers are at https://iotsecurityprivacy.org
 +
 
 +
Lorrie also talked about another paper that isn’t published yet in which they did a large user study to find out whether users understand the factors in the label and whether they would influence their purchase decisions.
 +
 
 +
The IoT privacy infrastructure is at https://www.iotprivacy.io/ (See the video in the bottom left of the front page).</p>
  
 
|}
 
|}
 
{|style="width: 100%;margin: auto; " cellpadding="5"
 
{|style="width: 100%;margin: auto; " cellpadding="5"
 +
 +
|'''Guest:'''
 +
|'''Bio:'''
 +
|-
 +
 +
|[[Image:LorrieCranor-0.jpg|200px|thumb|<center>'''[https://twitter.com/@lorrietweet Lorrie Cranor]''' is Director, CyLab Security and Privacy Institute at Carnegie Mellon University</center>]]
 +
 +
|Lorrie Faith Cranor is the Director and Bosch Distinguished Professor in Security and Privacy Technologies of CyLab and the FORE Systems Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She also directs the CyLab Usable Privacy and Security Laboratory (CUPS) and co-directs the MSIT-Privacy Engineering masters program.
 +
|-
  
 
|}
 
|}
Line 75: Line 114:
  
 
{|style="width: 100%;margin: auto; " cellpadding="1"
 
{|style="width: 100%;margin: auto; " cellpadding="1"
 +
 +
|[[Image:Jeff_Man_2-0.jpg|100px|thumb|<center>[https://twitter.com/@MrJeffMan Jeff Man]  - Sr. InfoSec Consultant at Online Business Systems</center>]]
 +
 +
|[[Image:larry_headshot-0.jpg|100px|thumb|<center>[https://twitter.com/@haxorthematrix Larry Pesce]  - Senior Managing Consultant and Director of Research at InGuardians</center>]]
 +
 +
|[[Image:Lee_Neely-0.jpg|100px|thumb|<center>[https://twitter.com/@lelandneely Lee Neely]  - Senior Cyber Analyst  at Lawrence Livermore National Laboratory</center>]]
 
 
 
|[[Image:Paul_Asadoorian-0.png|100px|thumb|<center>[https://twitter.com/@securityweekly Paul Asadoorian]  - Founder & CTO at Security Weekly</center>]]
 
|[[Image:Paul_Asadoorian-0.png|100px|thumb|<center>[https://twitter.com/@securityweekly Paul Asadoorian]  - Founder & CTO at Security Weekly</center>]]
 +
 +
|[[Image:Tyler_Robinson-0.png|100px|thumb|<center>[https://twitter.com/@tyler_robinson Tyler Robinson]  - Managing Director of Network Operations at Nisos, Inc</center>]]
 
 
 
|}
 
|}
  
= News - Security News - TBD =
+
= Fullaudio - None =
 
<!--   
 
<!--   
 
************************* MAKE CHANGES IN THE TEMPLATES BELOW! ***************************
 
************************* MAKE CHANGES IN THE TEMPLATES BELOW! ***************************
Line 87: Line 134:
  
 
|-
 
|-
|<p>'''Description:'''<br><br> None</p>
+
|<p>'''Description:'''<br><br> This week, we welcome Matt Allen, Senior Solutions Engineer at VIAVI Solutions, to discuss Collaboration between NetOps and SecOps in today's world! In our second segment, we welcome Lorrie Cranor, Director of CyLab Security and Privacy Institute at Carnegie Mellon University, to discuss Research on Security and Privacy labels for IoT devices! In the Security News, Two Zoom Zero-Day Flaws Uncovered, Millions of routers running OpenWRT vulnerable to attack, Marriott says 5.2 million guest records were stolen in another data breach, PoC Exploits for CVE-2020-0796 (SMBGhost) Privilege Escalation flaw published, and we welcome our very special guest for tonight, Dave Kennedy, who joins us to talk about Video Chat Client Vulnerability History and the recent Zoom Vulnerabilities!
 +
 
 +
For more information on VIAVI Solutions, visit: https://securityweekly.com/viavi
 +
Visit https://www.securityweekly.com/psw for all the latest episodes!
 +
 +
Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter!
 +
Follow us on Twitter: https://www.twitter.com/securityweekly
 +
Like us on Facebook: https://www.facebook.com/secweekly</p>
  
  
Line 93: Line 147:
 
|}
 
|}
  
 +
 +
==[https://twitter.com/@MrJeffMan Jeff Man]'s Content: ==
 +
[[Image:Jeff_Man_2-0.jpg|50px|thumb|left]]
 +
<br>
 +
{{Template:PSW645FullaudioJeff Man}}
 +
 +
==[https://twitter.com/@haxorthematrix Larry Pesce]'s Content: ==
 +
[[Image:larry_headshot-0.jpg|50px|thumb|left]]
 +
<br>
 +
{{Template:PSW645FullaudioLarry Pesce}}
 +
 +
==[https://twitter.com/@lelandneely Lee Neely]'s Content: ==
 +
[[Image:Lee_Neely-0.jpg|50px|thumb|left]]
 +
<br>
 +
{{Template:PSW645FullaudioLee Neely}}
 +
 +
==[https://twitter.com/@securityweekly Paul Asadoorian]'s Content: ==
 +
[[Image:Paul_Asadoorian-0.png|50px|thumb|left]]
 +
<br>
 +
{{Template:PSW645FullaudioPaul Asadoorian}}
 +
 +
==[https://twitter.com/@tyler_robinson Tyler Robinson]'s Content: ==
 +
[[Image:Tyler_Robinson-0.png|50px|thumb|left]]
 +
<br>
 +
{{Template:PSW645FullaudioTyler Robinson}}
 +
 +
 +
= News - Security News - To Zoom or Not to Zoom  =
 +
<!-- 
 +
************************* MAKE CHANGES IN THE TEMPLATES BELOW! ***************************
 +
-->
 +
{|style="width: 100%;margin: auto; " cellpadding="10"
 +
 +
|<center>{{#ev:youtube|vECKX10r7Rc }}</center>
 +
 +
|-
 +
|<p>'''Description:'''<br><br> This segment will largely focus on the recent Zoom vulnerabilities and the responses from security researchers, the security community and enterprises. Should you stop using Zoom? Tune in to find out! (Hint: Uhm, probably not).</p>
 +
 +
 +
 +
|-
 +
|<p>'''Content:'''<br><br> https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/ Two Zoom Zero-Day Flaws Uncovered
 +
https://www.securityweek.com/trojanized-zoom-apps-target-work-home-android-users Trojanized Zoom Apps Target Remote Workers
 +
https://threatpost.com/zoom-removes-data-mining-linkedin-feature/154404/ Zoom Removes Data-Mining LinkedIn Feature
 +
https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/ War Dialing Tool Exposes Zooms Password Problems
 +
https://www.vmray.com/cyber-security-blog/zoom-macos-installer-analysis-good-apps-behaving-badly/ Good Apps Behaving Badly: Zoom macOS Installer - VMRay
 +
https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account Zoom iOS App Sends Data to Facebook Even if You Don't Have a Facebook Account
 +
https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
 +
https://github.com/jitsi/docker-jitsi-meet Jitsi Meet on Docker - We are testing this here, but only because we can control the network flows, e.g. we can stand up servers and clients and have them connect directly rather than bouncing through other people's servers. I have not done a security assessment yet. It was not security that drove us to test it out, in fact, I am worried about how tightly maintained WE can keep it, vs. having an entire team like Zoom or Microsoft.
 +
</p>
 +
 +
|}
 +
 +
 +
==[https://twitter.com/@MrJeffMan Jeff Man]'s Content: ==
 +
[[Image:Jeff_Man_2-0.jpg|50px|thumb|left]]
 +
<br>
 +
{{Template:PSW645NewsJeff Man}}
 +
 +
==[https://twitter.com/@haxorthematrix Larry Pesce]'s Content: ==
 +
[[Image:larry_headshot-0.jpg|50px|thumb|left]]
 +
<br>
 +
{{Template:PSW645NewsLarry Pesce}}
 +
 +
==[https://twitter.com/@lelandneely Lee Neely]'s Content: ==
 +
[[Image:Lee_Neely-0.jpg|50px|thumb|left]]
 +
<br>
 +
{{Template:PSW645NewsLee Neely}}
 
 
 
==[https://twitter.com/@securityweekly Paul Asadoorian]'s Content: ==
 
==[https://twitter.com/@securityweekly Paul Asadoorian]'s Content: ==
Line 98: Line 220:
 
<br>
 
<br>
 
{{Template:PSW645NewsPaul Asadoorian}}
 
{{Template:PSW645NewsPaul Asadoorian}}
 +
 +
==[https://twitter.com/@tyler_robinson Tyler Robinson]'s Content: ==
 +
[[Image:Tyler_Robinson-0.png|50px|thumb|left]]
 +
<br>
 +
{{Template:PSW645NewsTyler Robinson}}

Latest revision as of 21:05, 3 April 2020

Paul's Security Weekly Episode 645 - 2020-04-02

Episode Audio

Paul's Security Weekly Episode 645

Announcements

  • Is your Open Source code secure? Learn how to verify your code during development, not after the build in our next webcast with Synopsys. Register for our upcoming webcasts or virtual trainings by visiting securityweekly.com/webcasts. You can also access our on-demand library of previously recorded webcasts/trainings by visiting securityweekly.com/ondemand. Each webcast will earn you 1 CPE credit that we will submit on your behalf if you provide your ISC2 number.
  • We have officially migrated our mailing list to BACK to our original platform! We have our categories nailed down and you are now able to customize what you receive from us based on your preferences by visiting securityweekly.com/subscribe and clicking the button to join the list! Once you have joined, you will also be able to go back and update your "interests" so that we can grow with you as you progress through your journey in InfoSec!
  • We are looking for high-quality guest suggestions for our Enterprise Security Weekly podcast to fill our upcoming recording schedule! We're committed to educating and providing entertainment for the InfoSec community and we would love to hear from you about who you would like us to interview on the show! Submit your suggestions for guests by visiting securityweekly.com/guests and submitting the form! We review suggestions monthly and will reach out to you once reviewed!
  • Join Qualys for VMDR Live on April 21 at 2pm ET for a live demonstration of the game-changing Vulnerability Management, Detection & Response offering - a unified solution that integrates vulnerability management, threat prioritization and patching in a single app. Register at securityweekly.com/VMDR2020

Interview: Collaboration Between NetOps and SecOps in Today's World - 6:00-6:45PM

Description:

Matt and the Security Weekly crew will discuss how the interaction between network engineers and security operations has changed over the years, as well as the value of the network when identifying security threats and performing remediation. For more information on VIAVI Solutions, visit: https://securityweekly.com/viavi

Guest: Bio:
Matt Allen is Senior Solutions Engineer at VIAVI Solutions]
Matt Allen is a Senior Solutions Engineer at VIAVI Solutions. Prior to his 8 years at VIAVI, Matt has garnered 20 years of experience in the network engineering and telecommunications space. He holds the following certifications: Amazon Cloud Practictioner, Microsoft Certified Solutions Expert, Cisco Certified Network Associate, Certified Novell Engineer, and most recently Certified Ethical Hacker.

Hosts

Jeff Man - Sr. InfoSec Consultant at Online Business Systems
Larry Pesce - Senior Managing Consultant and Director of Research at InGuardians
Lee Neely - Senior Cyber Analyst at Lawrence Livermore National Laboratory
Paul Asadoorian - Founder & CTO at Security Weekly
Tyler Robinson - Managing Director of Network Operations at Nisos, Inc

Interview: IoT Devices: Security and Privacy Labels Research - 6:00-6:45PM

Description:

At Carnegie Mellon University we are designing a usable security and privacy label for smart devices to help consumers make informed choices about Internet of Things device purchases and encourage manufacturers to disclose their privacy and security practices. The label includes information on privacy and security practices of the smart device, such as the type of data the device collects and whether or not the device gets automatic security updates. Based on research with both consumers and experts, we have designed a two-layer label that includes a simple, understandable primary layer for consumers and a more detailed secondary layer that includes information important to experts.

Content:

The IoT security and privacy label and 2 research papers are at https://iotsecurityprivacy.org

Lorrie also talked about another paper that isn’t published yet in which they did a large user study to find out whether users understand the factors in the label and whether they would influence their purchase decisions.

The IoT privacy infrastructure is at https://www.iotprivacy.io/ (See the video in the bottom left of the front page).

Guest: Bio:
Lorrie Cranor is Director, CyLab Security and Privacy Institute at Carnegie Mellon University
Lorrie Faith Cranor is the Director and Bosch Distinguished Professor in Security and Privacy Technologies of CyLab and the FORE Systems Professor of Computer Science and of Engineering and Public Policy at Carnegie Mellon University. She also directs the CyLab Usable Privacy and Security Laboratory (CUPS) and co-directs the MSIT-Privacy Engineering masters program.

Hosts

Jeff Man - Sr. InfoSec Consultant at Online Business Systems
Larry Pesce - Senior Managing Consultant and Director of Research at InGuardians
Lee Neely - Senior Cyber Analyst at Lawrence Livermore National Laboratory
Paul Asadoorian - Founder & CTO at Security Weekly
Tyler Robinson - Managing Director of Network Operations at Nisos, Inc

Fullaudio - None

Description:

This week, we welcome Matt Allen, Senior Solutions Engineer at VIAVI Solutions, to discuss Collaboration between NetOps and SecOps in today's world! In our second segment, we welcome Lorrie Cranor, Director of CyLab Security and Privacy Institute at Carnegie Mellon University, to discuss Research on Security and Privacy labels for IoT devices! In the Security News, Two Zoom Zero-Day Flaws Uncovered, Millions of routers running OpenWRT vulnerable to attack, Marriott says 5.2 million guest records were stolen in another data breach, PoC Exploits for CVE-2020-0796 (SMBGhost) Privilege Escalation flaw published, and we welcome our very special guest for tonight, Dave Kennedy, who joins us to talk about Video Chat Client Vulnerability History and the recent Zoom Vulnerabilities!

For more information on VIAVI Solutions, visit: https://securityweekly.com/viavi Visit https://www.securityweekly.com/psw for all the latest episodes!

Visit https://securityweekly.com/acm to sign up for a demo or buy our AI Hunter! Follow us on Twitter: https://www.twitter.com/securityweekly

Like us on Facebook: https://www.facebook.com/secweekly



Jeff Man's Content:

Jeff Man 2-0.jpg


Template:PSW645FullaudioJeff Man

Larry Pesce's Content:

Larry headshot-0.jpg


Template:PSW645FullaudioLarry Pesce

Lee Neely's Content:

Lee Neely-0.jpg


Template:PSW645FullaudioLee Neely

Paul Asadoorian's Content:

Paul Asadoorian-0.png


Template:PSW645FullaudioPaul Asadoorian

Tyler Robinson's Content:

Tyler Robinson-0.png


Template:PSW645FullaudioTyler Robinson


News - Security News - To Zoom or Not to Zoom

Description:

This segment will largely focus on the recent Zoom vulnerabilities and the responses from security researchers, the security community and enterprises. Should you stop using Zoom? Tune in to find out! (Hint: Uhm, probably not).


Content:

https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/ Two Zoom Zero-Day Flaws Uncovered

https://www.securityweek.com/trojanized-zoom-apps-target-work-home-android-users Trojanized Zoom Apps Target Remote Workers https://threatpost.com/zoom-removes-data-mining-linkedin-feature/154404/ Zoom Removes Data-Mining LinkedIn Feature https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/ War Dialing Tool Exposes Zooms Password Problems https://www.vmray.com/cyber-security-blog/zoom-macos-installer-analysis-good-apps-behaving-badly/ Good Apps Behaving Badly: Zoom macOS Installer - VMRay https://www.vice.com/en_ca/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account Zoom iOS App Sends Data to Facebook Even if You Don't Have a Facebook Account https://medium.com/bugbountywriteup/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website! https://github.com/jitsi/docker-jitsi-meet Jitsi Meet on Docker - We are testing this here, but only because we can control the network flows, e.g. we can stand up servers and clients and have them connect directly rather than bouncing through other people's servers. I have not done a security assessment yet. It was not security that drove us to test it out, in fact, I am worried about how tightly maintained WE can keep it, vs. having an entire team like Zoom or Microsoft.


Jeff Man's Content:

Jeff Man 2-0.jpg


  1. New Release: Tribe of Hackers Security Leaders getting the shameless plug out of the way - but genuinely a good read
  2. Marriott says 5.2 million guest records were stolen in another data breach Nothing to see here/no PCI data compromised
  3. Introduce Kids to Cybersecurity With This Free Activity Book the kids are home anyway - might as well make them hackers
  4. Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency

Larry Pesce's Content:

Larry headshot-0.jpg


  1. Zoombombing is a thing
  2. Wardialing for Zoom meetings - Nice work Trent Lo!
  3. When geofencing goes wrong

Lee Neely's Content:

Lee Neely-0.jpg


  1. Spy Group Used 5 Zero-Days to Hack North Koreans phishing attacked used to exploit IE, Chrome and Windows zero-day vulnerabilities to conduct watering hole attacks.
  2. Dharma Ransomware source for sale on Hacking Forums Dharma is based on Crysis, and a tool was released in February to allow decryption without paying the ransom.
  3. Hackers taking advantage of Zoom's popularity to push Malware Hackers impersonate Zoom related sites to entice users to install unwanted/malicious add-ons and software.
  4. Marriott Data Breach exposes data of 52 million guests Contact, stay preference, affiliations and personal data ripe for phishing exposed.
  5. 'Zoom-bombing': FBI warns some teleconferencesconferences, online classrooms vulnerable to hackers Remember to secure your VTC, Zoom or otherwise, make them private, require a password and check attendees.
  6. PoC Exploits for CVE-2020-0796 (SMBGhost) Privilege Escalation flaw published SMBGhost is high risk wormable attack. Neither PoC code enable wormable behavior.
  7. 'Secure' Backup company leaks 135 million records online Los Angeles based SOS Oneline Backup customer information database misconfigured. Exposed data includes user names. email, phone, business details, along with backup system structure. May run afoul of CCPA and GDPR regulations.
  8. Your Social Security Number Costs $4 on The Dark Web Report by Atlas VPN finds that for $4 you can get SSN, full name, drivers's license, passport number and email address. Pricing depends on victim's credit score.

Paul Asadoorian's Content:

Paul Asadoorian-0.png


Zoom Stories

  1. Two Zoom Zero-Day Flaws Uncovered
  2. Trojanized Zoom Apps Target Remote Workers | SecurityWeek.Com
  3. Zoom Removes Data-Mining LinkedIn Feature
  4. War Dialing Tool Exposes Zooms Password Problems Krebs on Security
  5. Good Apps Behaving Badly: Zoom macOS Installer - VMRay
  6. Zoom iOS App Sends Data to Facebook Even if You Dont Have a Facebook Account
  7. Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!
  8. Jitsi Meet on Docker - We are testing this here, but only because we can control the network flows, e.g. we can stand up servers and clients and have them connect directly rather than bouncing through other people's servers. I have not done a security assessment yet. It was not security that drove us to test it out, in fact, I am worried about how tightly maintained WE can keep it, vs. having an entire team like Zoom or Microsoft.

Non-Zoom Stories

  1. Millions of routers running OpenWRT vulnerable to attack
  2. Uncovering OpenWRT remote code execution (CVE-2020-7982)
  3. Marriott Was Hacked -- Again - Schneier on Security
  4. Ex-NSA hacker drops new zero-day doom for Zoom TechCrunch
  5. Nvidia's Next-Generation GPUs Could Destroy Xbox Series X If Leaks Are True | Digital Trends
  6. CVE-2020-0796

Video Chat Client Vulnerability History

  1. Skype Technologies Skype : List of security vulnerabilities
  2. Zoom : Security vulnerabilities
  3. Cisco Webex : List of security vulnerabilities
  4. Skype Skype : List of security vulnerabilities
  5. Microsoft Skype : List of security vulnerabilities

Tyler Robinson's Content:

Tyler Robinson-0.png


Template:PSW645NewsTyler Robinson